Add tests for auth, rate limiting, security, and util

Add per-IP rate limiting (login + general API)
Merge branch 'zip-support'
2026-03-24 13:46:44 +01:00 · 2026-03-24 11:40:36 +01:00 · 2026-03-23 17:46:49 +01:00 · 2026-03-23 17:46:27 +01:00 · 2026-03-23 17:17:57 +01:00 · 2026-03-23 17:10:15 +01:00
14 changed files with 688 additions and 37 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"ResendIt/internal/api/middleware"
 	"ResendIt/internal/auth"
 	"ResendIt/internal/db"
 	"ResendIt/internal/file"
@@ -14,6 +15,7 @@ import (
 	"html/template"
 	"net/http"
 	"os"
+	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/joho/godotenv"
@@ -74,6 +76,9 @@ func main() {
 	createAdminUser(userService)

 	apiRoute := r.Group("/api")
+	// General API rate limiting to reduce abuse/spam.
+	// ~60 req/min per IP with some burst room.
+	apiRoute.Use(middleware.RateLimitByIP(60, time.Minute, 30, 5*time.Minute))

 	auth.RegisterRoutes(apiRoute, authHandler)
 	user.RegisterRoutes(apiRoute, userHandler)
--- a/internal/api/middleware/ratelimit.go
+++ b/internal/api/middleware/ratelimit.go
@@ -0,0 +1,118 @@
+package middleware
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type tokenBucket struct {
+	mu     sync.Mutex
+	rate   float64 // tokens per second
+	burst  float64 // max tokens
+	tokens float64
+	last   time.Time
+}
+
+func newTokenBucket(max int, per time.Duration, burst int) *tokenBucket {
+	if burst <= 0 {
+		burst = max
+	}
+	rate := float64(max) / per.Seconds()
+	b := float64(burst)
+	now := time.Now()
+	return &tokenBucket{rate: rate, burst: b, tokens: b, last: now}
+}
+
+func (b *tokenBucket) allow() bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	now := time.Now()
+	delta := now.Sub(b.last).Seconds()
+	b.last = now
+
+	b.tokens += delta * b.rate
+	if b.tokens > b.burst {
+		b.tokens = b.burst
+	}
+
+	if b.tokens < 1 {
+		return false
+	}
+	b.tokens -= 1
+	return true
+}
+
+type ipClient struct {
+	bucket   *tokenBucket
+	lastSeen time.Time
+}
+
+// RateLimitByIP returns a Gin middleware that rate limits requests per client IP.
+//
+// max: max requests per time window (per)
+// per: the time window duration
+// burst: optional burst capacity (defaults to max if <=0)
+// ttl: how long to keep idle IP buckets around
+func RateLimitByIP(max int, per time.Duration, burst int, ttl time.Duration) gin.HandlerFunc {
+	var (
+		mu      sync.Mutex
+		clients = make(map[string]*ipClient)
+	)
+
+	// opportunistic cleanup (runs at most once per minute)
+	var (
+		cleanupMu   sync.Mutex
+		lastCleanup time.Time
+	)
+
+	cleanup := func(now time.Time) {
+		cleanupMu.Lock()
+		defer cleanupMu.Unlock()
+		if !lastCleanup.IsZero() && now.Sub(lastCleanup) < time.Minute {
+			return
+		}
+		lastCleanup = now
+
+		mu.Lock()
+		defer mu.Unlock()
+		for ip, c := range clients {
+			if now.Sub(c.lastSeen) > ttl {
+				delete(clients, ip)
+			}
+		}
+	}
+
+	getClient := func(ip string, now time.Time) *ipClient {
+		mu.Lock()
+		defer mu.Unlock()
+		c, ok := clients[ip]
+		if !ok {
+			c = &ipClient{bucket: newTokenBucket(max, per, burst), lastSeen: now}
+			clients[ip] = c
+			return c
+		}
+		c.lastSeen = now
+		return c
+	}
+
+	return func(c *gin.Context) {
+		now := time.Now()
+		cleanup(now)
+
+		ip := c.ClientIP()
+		client := getClient(ip, now)
+
+		if !client.bucket.allow() {
+			c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{
+				"error": "rate limit exceeded",
+			})
+			return
+		}
+
+		c.Next()
+	}
+}
--- a/internal/api/middleware/ratelimit_test.go
+++ b/internal/api/middleware/ratelimit_test.go
@@ -0,0 +1,64 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+func TestRateLimitByIP_BlocksAfterLimit(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	r := gin.New()
+	// 1 request per hour, burst 1 => second immediate request should 429.
+	r.Use(RateLimitByIP(1, time.Hour, 1, time.Minute))
+	r.GET("/", func(c *gin.Context) { c.String(200, "ok") })
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.RemoteAddr = "203.0.113.10:1234"
+
+	w1 := httptest.NewRecorder()
+	r.ServeHTTP(w1, req)
+	if w1.Code != http.StatusOK {
+		t.Fatalf("first request code = %d, want %d", w1.Code, http.StatusOK)
+	}
+
+	w2 := httptest.NewRecorder()
+	r.ServeHTTP(w2, req)
+	if w2.Code != http.StatusTooManyRequests {
+		t.Fatalf("second request code = %d, want %d", w2.Code, http.StatusTooManyRequests)
+	}
+}
+
+func TestRateLimitByIP_AllowsBurst(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	r := gin.New()
+	// 1 per hour, but burst 2 => first two immediate requests should pass.
+	r.Use(RateLimitByIP(1, time.Hour, 2, time.Minute))
+	r.GET("/", func(c *gin.Context) { c.String(200, "ok") })
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.RemoteAddr = "203.0.113.11:1234"
+
+	w1 := httptest.NewRecorder()
+	r.ServeHTTP(w1, req)
+	if w1.Code != http.StatusOK {
+		t.Fatalf("first request code = %d, want %d", w1.Code, http.StatusOK)
+	}
+
+	w2 := httptest.NewRecorder()
+	r.ServeHTTP(w2, req)
+	if w2.Code != http.StatusOK {
+		t.Fatalf("second request code = %d, want %d", w2.Code, http.StatusOK)
+	}
+
+	w3 := httptest.NewRecorder()
+	r.ServeHTTP(w3, req)
+	if w3.Code != http.StatusTooManyRequests {
+		t.Fatalf("third request code = %d, want %d", w3.Code, http.StatusTooManyRequests)
+	}
+}
--- a/internal/auth/routes.go
+++ b/internal/auth/routes.go
@@ -2,6 +2,7 @@ package auth

 import (
 	"ResendIt/internal/api/middleware"
+	"time"

 	"github.com/gin-gonic/gin"
 )
@@ -9,7 +10,9 @@ import (
 func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
 	auth := r.Group("/auth")

-	auth.POST("/login", h.Login)
+	// Stricter rate limit on login to reduce brute-force / log spam.
+	// 5 attempts per minute per IP, burst 10.
+	auth.POST("/login", middleware.RateLimitByIP(5, time.Minute, 10, 15*time.Minute), h.Login)

 	protected := auth.Group("/")
 	protected.Use(middleware.AuthMiddleware())
--- a/internal/auth/service_test.go
+++ b/internal/auth/service_test.go
@@ -0,0 +1,82 @@
+package auth
+
+import (
+	"ResendIt/internal/security"
+	"ResendIt/internal/user"
+	"testing"
+
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func TestServiceLogin_InvalidUserDoesNotEnumerate(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+	if err := db.AutoMigrate(&user.User{}); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	svc := NewService(NewRepository(db))
+
+	_, err = svc.Login("does-not-exist", "whatever")
+	if err != ErrInvalidCredentials {
+		t.Fatalf("expected ErrInvalidCredentials for missing user, got %v", err)
+	}
+}
+
+func TestServiceLogin_WrongPassword(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+	if err := db.AutoMigrate(&user.User{}); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	hash, err := security.HashPassword("right")
+	if err != nil {
+		t.Fatalf("hash: %v", err)
+	}
+
+	u := user.User{Username: "alice", PasswordHash: hash, Role: "user"}
+	if err := db.Create(&u).Error; err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+
+	svc := NewService(NewRepository(db))
+	_, err = svc.Login("alice", "wrong")
+	if err != ErrInvalidCredentials {
+		t.Fatalf("expected ErrInvalidCredentials for wrong password, got %v", err)
+	}
+}
+
+func TestServiceLogin_SuccessReturnsJWT(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+	if err := db.AutoMigrate(&user.User{}); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	hash, err := security.HashPassword("right")
+	if err != nil {
+		t.Fatalf("hash: %v", err)
+	}
+
+	u := user.User{Username: "alice", PasswordHash: hash, Role: "user"}
+	if err := db.Create(&u).Error; err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+
+	svc := NewService(NewRepository(db))
+	token, err := svc.Login("alice", "right")
+	if err != nil {
+		t.Fatalf("expected success, got error: %v", err)
+	}
+	if token == "" {
+		t.Fatalf("expected non-empty jwt token")
+	}
+}
--- a/internal/file/handlers.go
+++ b/internal/file/handlers.go
@@ -1,6 +1,7 @@
 package file

 import (
+	"ResendIt/internal/util"
 	"fmt"
 	"net/http"
 	"path/filepath"
@@ -77,27 +78,12 @@ func (h *Handler) View(c *gin.Context) {
 		c.HTML(http.StatusOK, "fileNotFound.html", nil)
 		return
 	}
-
-	c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, record.Filename))
+	name := util.SafeFilename(record.Filename)
+	c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
 	c.Header("X-Content-Type-Options", "nosniff")
 	c.File(record.Path)
 }

-func safeFilename(name string) string {
-	// keep it simple: drop control chars and quotes
-	out := make([]rune, 0, len(name))
-	for _, r := range name {
-		if r < 32 || r == 127 || r == '"' || r == '\\' {
-			continue
-		}
-		out = append(out, r)
-	}
-	if len(out) == 0 {
-		return "file"
-	}
-	return string(out)
-}
-
 func isXSSRisk(filename string) bool {
 	ext := filepath.Ext(filename)
 	switch ext {
@@ -116,8 +102,8 @@ func (h *Handler) Download(c *gin.Context) {
 		c.HTML(http.StatusOK, "fileNotFound.html", nil)
 		return
 	}
-
-	c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, record.Filename))
+	name := util.SafeFilename(record.Filename)
+	c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
 	c.Header("X-Content-Type-Options", "nosniff")
 	//c.Header("Content-Security-Policy", "default-src 'none'; img-src 'self'; media-src 'self'; script-src 'none'; style-src 'none';")
 	//c.Header("Content-Type", "application/octet-stream")
--- a/internal/file/routes.go
+++ b/internal/file/routes.go
@@ -10,6 +10,7 @@ func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
 	files := r.Group("/files")

 	files.POST("/upload", h.Upload)
+	files.POST("/upload-multi", h.UploadMulti)
 	//files.GET("/download/:id", h.Download)

 	files.GET("/view/:id", h.View)
--- a/internal/file/upload_multi.go
+++ b/internal/file/upload_multi.go
@@ -0,0 +1,57 @@
+package file
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UploadMulti accepts up to 10 files, zips them server-side, and returns a single download/view key.
+func (h *Handler) UploadMulti(c *gin.Context) {
+	if err := c.Request.ParseMultipartForm(0); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	form, err := c.MultipartForm()
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid multipart form"})
+		return
+	}
+
+	files := form.File["files"]
+	if len(files) == 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "missing files"})
+		return
+	}
+	if len(files) > 50 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "too many files (max 50)"})
+		return
+	}
+
+	once := c.PostForm("once") == "true"
+
+	durationStr := c.PostForm("duration")
+	hours, err := strconv.Atoi(durationStr)
+	if err != nil || hours <= 0 {
+		hours = 24
+	}
+	duration := time.Duration(hours) * time.Hour
+
+	record, err := h.service.UploadBundle(files, once, duration)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"id":          record.ID,
+		"deletion_id": record.DeletionID,
+		"filename":    record.Filename,
+		"size":        record.Size,
+		"expires_at":  record.ExpiresAt,
+		"view_key":    record.ViewID,
+	})
+}
--- a/internal/file/zip.go
+++ b/internal/file/zip.go
@@ -0,0 +1,159 @@
+package file
+
+import (
+	"ResendIt/internal/util"
+	"archive/zip"
+	"errors"
+	"fmt"
+	"io"
+	"mime/multipart"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+func safeZipName(name string) string {
+	name = filepath.Base(name)
+	name = strings.ReplaceAll(name, "\\", "_")
+	name = strings.ReplaceAll(name, "/", "_")
+	name = strings.TrimSpace(name)
+	if name == "" || name == "." {
+		return "file"
+	}
+	return name
+}
+
+func dedupeName(name string, seen map[string]int) string {
+	if _, ok := seen[name]; !ok {
+		seen[name] = 1
+		return name
+	}
+	seen[name]++
+	ext := filepath.Ext(name)
+	base := strings.TrimSuffix(name, ext)
+	return fmt.Sprintf("%s (%d)%s", base, seen[name], ext)
+}
+
+func cuteZipName(fileCount int) string {
+	adjective := util.RandomAdjective()
+	verb := util.RandomVerb()
+	thing := util.RandomThing()
+	return fmt.Sprintf("%d%s%s%s.zip", fileCount, adjective, verb, thing)
+}
+
+// UploadBundle zips multiple uploaded files into a single .zip stored on disk and tracked as one FileRecord.
+func (s *Service) UploadBundle(files []*multipart.FileHeader, deleteAfterDownload bool, expiresAfter time.Duration) (*FileRecord, error) {
+	if len(files) == 0 {
+		return nil, errors.New("no files")
+	}
+	if len(files) > 50 {
+		return nil, errors.New("too many files (max 50)")
+	}
+
+	folderID := uuid.NewString()
+	folderPath := filepath.Join(s.storageDir, folderID)
+	if err := os.MkdirAll(folderPath, os.ModePerm); err != nil {
+		return nil, err
+	}
+
+	zipDiskName := uuid.NewString() + ".zip"
+	zipPath := filepath.Join(folderPath, zipDiskName)
+
+	out, err := os.Create(zipPath)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		_ = out.Close()
+		if err != nil {
+			_ = os.Remove(zipPath)
+		}
+	}()
+
+	zw := zip.NewWriter(out)
+	defer func() { _ = zw.Close() }()
+
+	seen := map[string]int{}
+	for _, fh := range files {
+		rc, openErr := fh.Open()
+		if openErr != nil {
+			err = openErr
+			return nil, openErr
+		}
+
+		name := dedupeName(safeZipName(fh.Filename), seen)
+		h, _ := zip.FileInfoHeader(dummyFileInfo{name: name, size: fh.Size, mod: time.Now()})
+		h.Name = name
+		h.Method = zip.Deflate
+
+		w, createErr := zw.CreateHeader(h)
+		if createErr != nil {
+			_ = rc.Close()
+			err = createErr
+			return nil, createErr
+		}
+
+		if _, copyErr := io.Copy(w, rc); copyErr != nil {
+			_ = rc.Close()
+			err = copyErr
+			return nil, copyErr
+		}
+		_ = rc.Close()
+	}
+
+	if closeErr := zw.Close(); closeErr != nil {
+		err = closeErr
+		return nil, closeErr
+	}
+	if closeErr := out.Close(); closeErr != nil {
+		err = closeErr
+		return nil, closeErr
+	}
+
+	zipDisplayName := cuteZipName(len(files))
+
+	f := &FileRecord{
+		ID:                  folderID,
+		DeletionID:          uuid.NewString(),
+		ViewID:              uuid.NewString(),
+		Filename:            zipDisplayName,
+		Path:                zipPath,
+		Size:                fileSize(zipPath),
+		CreatedAt:           time.Now(),
+		ExpiresAt:           time.Now().Add(expiresAfter),
+		DeleteAfterDownload: deleteAfterDownload,
+	}
+
+	if err := s.repo.Create(f); err != nil {
+		return nil, err
+	}
+
+	return f, nil
+}
+
+func fileSize(path string) int64 {
+	st, err := os.Stat(path)
+	if err != nil {
+		return 0
+	}
+	return st.Size()
+}
+
+// dummyFileInfo provides minimal os.FileInfo for zip headers.
+// This avoids relying on the underlying uploaded file having a real modtime.
+// (zip.Writer can work without this too, but headers look nicer.)
+type dummyFileInfo struct {
+	name string
+	size int64
+	mod  time.Time
+}
+
+func (d dummyFileInfo) Name() string       { return d.name }
+func (d dummyFileInfo) Size() int64        { return d.size }
+func (d dummyFileInfo) Mode() os.FileMode  { return 0o644 }
+func (d dummyFileInfo) ModTime() time.Time { return d.mod }
+func (d dummyFileInfo) IsDir() bool        { return false }
+func (d dummyFileInfo) Sys() any           { return nil }
--- a/internal/security/password_test.go
+++ b/internal/security/password_test.go
@@ -0,0 +1,22 @@
+package security
+
+import "testing"
+
+func TestHashAndCheckPassword(t *testing.T) {
+	pw := "correct horse battery staple"
+
+	hash, err := HashPassword(pw)
+	if err != nil {
+		t.Fatalf("HashPassword returned error: %v", err)
+	}
+	if hash == "" {
+		t.Fatalf("expected non-empty hash")
+	}
+
+	if !CheckPassword(pw, hash) {
+		t.Fatalf("expected CheckPassword to succeed for correct password")
+	}
+	if CheckPassword("wrong", hash) {
+		t.Fatalf("expected CheckPassword to fail for wrong password")
+	}
+}
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -1,6 +1,9 @@
 package util

-import "fmt"
+import (
+	"fmt"
+	"strings"
+)

 func HumanSize(size int64) string {
 	const unit = 1024
@@ -17,3 +20,24 @@ func HumanSize(size int64) string {
 		"KMGTPE"[exp],
 	)
 }
+
+func SafeFilename(name string) string {
+	name = strings.TrimSpace(name)
+
+	out := make([]rune, 0, len(name))
+	for _, r := range name {
+		// block control chars (incl CR/LF/TAB), DEL, quotes, backslash
+		if r < 32 || r == 127 || r == '"' || r == '\\' {
+			continue
+		}
+		out = append(out, r)
+	}
+	if len(out) == 0 {
+		return "file"
+	}
+	// optional: cap length
+	if len(out) > 200 {
+		out = out[:200]
+	}
+	return string(out)
+}
--- a/internal/util/util_test.go
+++ b/internal/util/util_test.go
@@ -0,0 +1,40 @@
+package util
+
+import "testing"
+
+func TestHumanSize(t *testing.T) {
+	tests := []struct {
+		in   int64
+		want string
+	}{
+		{0, "0 B"},
+		{1, "1 B"},
+		{1023, "1023 B"},
+		{1024, "1.0 KB"},
+		{1024 * 1024, "1.0 MB"},
+	}
+
+	for _, tt := range tests {
+		if got := HumanSize(tt.in); got != tt.want {
+			t.Fatalf("HumanSize(%d) = %q, want %q", tt.in, got, tt.want)
+		}
+	}
+}
+
+func TestSafeFilename(t *testing.T) {
+	if got := SafeFilename("  hello.txt  "); got != "hello.txt" {
+		t.Fatalf("expected trimmed filename, got %q", got)
+	}
+
+	// Strips control characters, quotes, and backslashes.
+	in := "a\n\rb\t\"c\\d"
+	got := SafeFilename(in)
+	if got != "abcd" {
+		t.Fatalf("SafeFilename(%q) = %q, want %q", in, got, "abcd")
+	}
+
+	// Empty after sanitization becomes default.
+	if got := SafeFilename("\n\r\t"); got != "file" {
+		t.Fatalf("expected default filename, got %q", got)
+	}
+}
--- a/internal/util/worldlist.go
+++ b/internal/util/worldlist.go
@@ -0,0 +1,47 @@
+package util
+
+import "math/rand"
+
+var Adjectives = []string{
+	"Cool", "Super", "Hot", "Spicy", "Sneaky", "Sleepy", "Tiny", "Mega", "Cosmic", "Silly",
+	"Cursed", "Blessed", "Wiggly", "Giga", "Chonky", "Shiny", "Angry", "Happy", "Soft", "Turbo",
+	"Zany", "Snappy", "Fluffy", "Cranky", "Glitchy", "Bubbly", "Frosty", "Electric", "Jolly", "Mystic",
+	"Weird", "Chunky", "Psycho", "Cheesy", "Smelly", "Slippery", "Fiery", "Wacky", "Vivid", "Hyper",
+	"Soggy", "Grumpy", "Luminous", "Spooky", "Funky", "Twisted", "Nifty", "Prickly", "Velvet", "Epic",
+	"Glorious", "Majestic", "Quirky", "Radiant", "Sneaky", "Bouncy", "Mysterious", "Noodle", "Raging", "Zesty",
+	"Shimmering", "Fabled", "Plush", "Snazzy", "Stormy", "Gleaming", "Vibrant", "Odd", "Tasty", "Whimsical",
+	"Feral", "Clever", "Jumpy", "Dizzy", "Wicked", "Chilly", "Hasty", "Bizarre", "Snug", "Cheerful",
+}
+
+var Things = []string{
+	"Potato", "Griefers", "Raccoons", "Pigeons", "Wizards", "Ninjas", "Pickles", "Dragons", "Goblins", "Burgers",
+	"Pancakes", "Hamsters", "Bananas", "Comets", "Robots", "Cats", "Kiwis", "Frogs", "Cupcakes", "Sprites",
+	"Monsters", "Aliens", "Slimes", "Tacos", "Unicorns", "Ghosts", "Snails", "Vampires", "Donuts", "Owls",
+	"Zombies", "Mermaids", "Beavers", "Octopuses", "Chickens", "Penguins", "Mushrooms", "Felines", "Llamas", "Waffles",
+	"Baboons", "Dragettes", "Pixies", "Sharks", "Elephants", "Squirrels", "Gnomes", "Wombats", "Cacti", "Puppets",
+	"Koalas", "Moose", "Yeti", "Bats", "Crabs", "Otters", "Trolls", "Geckos", "Parrots", "Snakes",
+	"Sloths", "Clowns", "Jellyfish", "Froggies", "Dragoneers", "Nuggets", "Sprites", "Critters", "Knights", "Squids",
+	"Tigers", "Foxes", "Penguinos", "Burglebugs", "Clouds", "Fireflies", "Shrooms", "Mice", "Wizards", "Berries",
+}
+
+var Verbs = []string{
+	"Zoom", "Bonk", "Yeet", "Vibe", "Hack", "Spark", "Bounce", "Nibble", "Smuggle", "Cook",
+	"Flick", "Slap", "Whack", "Zap", "Blast", "Slam", "Twist", "Flip", "Slide", "Crash",
+	"Pop", "Fling", "Snatch", "Boing", "Sizzle", "Clap", "Roar", "Sniff", "Swoop", "Blink",
+	"Dodge", "Smash", "Roll", "Twirl", "Snore", "Drip", "Slurp", "Chomp", "Shuffle", "Juggle",
+	"Bounce", "Whirl", "Gush", "Spit", "Frolic", "Honk", "Wiggle", "Crackle", "Pounce", "Sprinkle",
+	"Slam", "Zoomerang", "Flop", "Squish", "Boop", "Whiz", "Flipflop", "Snip", "Glide", "Zapzap",
+	"Bop", "Wobble", "Fumble", "Twinkle", "Splash", "Dribble", "Clobber", "Whackadoo", "Bounceback", "Snizzle",
+}
+
+func RandomAdjective() string {
+	return Adjectives[rand.Intn(len(Adjectives))]
+}
+
+func RandomThing() string {
+	return Things[rand.Intn(len(Things))]
+}
+
+func RandomVerb() string {
+	return Verbs[rand.Intn(len(Verbs))]
+}
--- a/templates/index.html
+++ b/templates/index.html
@@ -102,7 +102,7 @@

        <div id="upload-ui">
            <div id="drop-zone" class="drop-zone mb-4">
-                <input type="file" id="fileInput" class="hidden">
+                <input type="file" id="fileInput" class="hidden" multiple>

                <div id="dz-content">
                    <span id="dz-text" class="text-sm">Click to select or drop file</span>
@@ -232,20 +232,36 @@

    input.onchange = () => {
        if (input.files.length) {
-            showFile(input.files[0]);
+            showFiles(input.files);
            uploadBtn.disabled = false;
        } else {
            uploadBtn.disabled = true;
        }
    };

-    function showFile(file) {
+    function showFiles(fileList) {
+        const files = Array.from(fileList || []);
+        if (files.length === 0) return;
+
+        const total = files.reduce((acc, f) => acc + f.size, 0);
+
+        if (files.length === 1) {
            document.getElementById('dz-text').innerText =
-            `${file.name} (${formatBytes(file.size)})`;
+                `${files[0].name} (${formatBytes(files[0].size)})`;
+            return;
+        }
+
+        document.getElementById('dz-text').innerText =
+            `${files.length} FILES (${formatBytes(total)}) — will be zipped`;
    }

    uploadBtn.onclick = () => {
-        if (input.files.length) handleUpload(input.files[0]);
+        if (!input.files.length) return;
+        if (input.files.length === 1) {
+            handleUploadSingle(input.files[0]);
+        } else {
+            handleUploadMulti(input.files);
+        }
    };

    cancelBtn.onclick = (e) => {
@@ -257,7 +273,15 @@
        }
    };

-    function handleUpload(file) {
+    function commonFormData() {
+        const fd = new FormData();
+        fd.append("once", document.getElementById("once").checked ? "true" : "false");
+        const hours = parseInt(document.getElementById("duration").value, 10);
+        fd.append("duration", hours);
+        return fd;
+    }
+
+    function startUploadUI() {
        uploadBtn.disabled = true;
        uploadBtn.innerText = "UPLOADING...";
        cancelBtn.classList.remove('hidden');
@@ -265,16 +289,9 @@
        progressContainer.classList.remove("hidden");
        progressText.classList.remove("hidden");
        statsText.classList.remove("hidden");
+    }

-        const fd = new FormData();
-        fd.append("file", file);
-        fd.append("once", document.getElementById("once").checked ? "true" : "false");
-        const hours = parseInt(document.getElementById("duration").value, 10);
-        fd.append("duration", hours);
-
-        const xhr = new XMLHttpRequest();
-        currentXhr = xhr;
-
+    function setupXHRHandlers(xhr) {
        let startTime = Date.now();

        xhr.upload.onprogress = (e) => {
@@ -301,7 +318,6 @@
                    const data = JSON.parse(xhr.responseText);
                    if (data.error) throw new Error(data.error);

-                    // Redirect using view key
                    window.location.href = "/f/" + data.view_key;

                } catch (err) {
@@ -319,11 +335,38 @@
                location.reload();
            }
        };
+    }
+
+    function handleUploadSingle(file) {
+        startUploadUI();
+
+        const fd = commonFormData();
+        fd.append("file", file);
+
+        const xhr = new XMLHttpRequest();
+        currentXhr = xhr;
+
+        setupXHRHandlers(xhr);

        xhr.open("POST", "/api/files/upload");
        xhr.send(fd);
    }

+    function handleUploadMulti(fileList) {
+        startUploadUI();
+
+        const fd = commonFormData();
+        Array.from(fileList).forEach(f => fd.append("files", f));
+
+        const xhr = new XMLHttpRequest();
+        currentXhr = xhr;
+
+        setupXHRHandlers(xhr);
+
+        xhr.open("POST", "/api/files/upload-multi");
+        xhr.send(fd);
+    }
+
    function copy(id) {
        const el = document.getElementById(id);
        el.select();
Author	SHA1	Message	Date
root	7b1293bb6f	Add tests for auth, rate limiting, security, and util	2026-03-24 13:46:44 +01:00
root	d9de02f08d	Add per-IP rate limiting (login + general API)	2026-03-24 11:40:36 +01:00
Bram	e2d8bd344d	Merge branch 'zip-support'	2026-03-23 17:46:49 +01:00
Bram	82eb9de5f1	fix file naming sanitisation	2026-03-23 17:46:27 +01:00
Bram	5bcca61d59	Move wordlist and increase file limit	2026-03-23 17:17:57 +01:00
root	db5c2558f8	Zip bundles: generate cutesy zip display names	2026-03-23 17:10:15 +01:00
root	09d919ca27	Add multi-file upload that zips files server-side	2026-03-23 17:02:26 +01:00